Re: Zone Alarm and winlogin.exe
From: mcoleman (mcoleman@uniontown.com)Date: 12/31/01
- Previous message: Darren W. MacDonald: "RE: Taking control of ones machine"
- Maybe in reply to: Aaron Young: "Zone Alarm and winlogin.exe"
- Next in thread: Gianluca Manzo: "Re: Zone Alarm and winlogin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "mcoleman" <mcoleman@uniontown.com> To: "Aaron Young" <acyoung@nysernet.org>, <focus-ms@securityfocus.com> Date: Mon, 31 Dec 2001 12:39:55 -0500
Can you tell us if it was TCP/UDP/Other and what destination port it was
trying? Also, have you WHOISed the network it was targeting for?
-----Original Message-----
From: Aaron Young <acyoung@nysernet.org>
To: focus-ms@securityfocus.com <focus-ms@securityfocus.com>
Date: Monday, December 31, 2001 12:21 PM
Subject: Zone Alarm and winlogin.exe
Anyone seen this before? In the last month one of the
sites I manage had an intrusion that forced us to take
our server offline. After putting Zone Alarm on the
Win2K server to see if it caught anything roque trying
to access the Internet, I found the following alert:
Do you want to allow
\??\C:\WINNT\system32\winlogin.exe to access the
Internet?
Since the path to winlogin.exe began with an unknown
character (\??\) I found this to be suspicious.
A.
- Previous message: Darren W. MacDonald: "RE: Taking control of ones machine"
- Maybe in reply to: Aaron Young: "Zone Alarm and winlogin.exe"
- Next in thread: Gianluca Manzo: "Re: Zone Alarm and winlogin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
